Webux Lab

By Studio Webux

Assume role with AWS

TG
Tommy Gingras Studio Webux 2022-01-05

Bash Script to assume a role with AWS and a subshell (experiment)

A simple bash script that uses your current aws profile (AWS_PROFILE) and load the required environement variables to assume a specified role (using the environment variable named ROLE_TO_ASSUME)

This approach was tricky to think about, mostly because the subshell doesn’t allow to pass exported environment variables to the parent shell. (I did also try to do the same thing with NodeJS instead of bash but the same issue occured)

It is not implemented with MFA support as it is. But it can be easily adapted to support it

Note

The simplest way to do all that, is still by using the AWS_PROFILE approach and configure each roles inside the ~/.aws/credentials file. Then you can simply change your AWS_PROFILE to point to the different account and assuming the wanted role.

This article was only an experiment to see if we can simplify the assuming role process when having multiple accounts and roles for different type of tasks.


The script

#!/bin/bash
RED='\033[0;31m'
NC='\033[0m' # No Color

ROLE_ARN=$ROLE_TO_ASSUME
ROLE_SESSION_NAME="ops"

if [ "$ROLE_ARN" == "" ]; then
    echo "No ROLE_TO_ASSUME defined"
    exit 1;
fi

ASSUMED_ROLE=$(aws sts assume-role --role-arn $ROLE_ARN --role-session-name $ROLE_SESSION_NAME)

if [ $? -ne 0 ]; then
    echo "Failed to assume the role defined"
    exit 2;
fi

export AWS_ACCESS_KEY_ID=$(echo $ASSUMED_ROLE | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $ASSUMED_ROLE | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $ASSUMED_ROLE | jq -r '.Credentials.SessionToken')
unset AWS_PROFILE
unset ROLE_TO_ASSUME

CUSTOM_PROMPT=$(echo $ROLE_ARN | cut -d / -f2)
ACCOUNT_ID=$(echo $ROLE_ARN | cut -d: -f5)
CWD=$(echo $PWD | rev | cut -d/ -f1)
export PS1="$CWD (${RED}$ACCOUNT_ID:$CUSTOM_PROMPT${NC}) % "

How to use

export AWS_PROFILE=my-aws-profile
export AWS_REGION=ca-central-1

ROLE_TO_ASSUME="arn:aws:iam::123456789012:role/role-name-to-assume" \
/bin/bash -rcfile ./assume-role.sh -i

aws sts get-caller-identity

# ctrl+d to quit the subshell

Alias

! grep -q 'alias assume-role' ~/.zshrc; [ $? -eq 0 ] && echo -e "\nalias assume-role='/bin/bash -rcfile $PWD/assume-role.sh -i'" >> ~/.zshrc || echo '[assume-role] alias already configured'

source ~/.zshrc

Example

export ROLE_TO_ASSUME="arn:aws:iam::123456789012:role/role-name-to-assume"
assume-role

Output:

tgingras@tommys-MacBook-Air sts % assume-role    

The default interactive shell is now zsh.
To update your account to use zsh, please run `chsh -s /bin/zsh`.
For more details, please visit https://support.apple.com/kb/HT208050.
sts (123456789012:role-name-to-assume) % 
env | grep AWS

Output:

AWS_SESSION_TOKEN=...
AWS_SECRET_ACCESS_KEY=...
AWS_ACCESS_KEY_ID=...

You can use this command to confirm that you are using the wanted role: aws sts get-caller-identity

And to exit the shell, simply type: exit or use ctrl+d


Search